b'Audit Report\n\n\n\n\nOIG-11-022\nManagement Letter for Fiscal Year 2010 Audit of the\nFederal Financing Bank\xe2\x80\x99s Financial Statements\n\n\nNovember 12, 2010\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\nThis report has been reviewed for public dissemination by the Office of\nCounsel to the Inspector General. Information on pages 2 and 3 requiring\nprotection from public dissemination has been redacted from this report in\naccordance with Exemption 2 of the Freedom of Information Act,\n5 U.S.C. Section 552.\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            November 12, 2010\n\n\n            MEMORANDUM FOR GARY BURNER, CHIEF FINANCIAL OFFICER\n                           FEDERAL FINANCING BANK\n\n            FROM:                 Michael Fitzgerald\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2010 Audit of the\n                                  Federal Financing Bank\xe2\x80\x99s Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Federal Financing Bank\xe2\x80\x99s (FFB) Fiscal Year 2010 financial statements.\n            Under a contract monitored by the Office of Inspector General, KPMG LLP, an\n            independent certified public accounting firm, performed an audit of the financial\n            statements of FFB as of September 30, 2010, and for the year then ended. The\n            contract required that the audit be performed in accordance with generally\n            accepted government auditing standards; applicable provisions of Office of\n            Management and Budget Bulletin No. 07-04, Audit Requirements for Federal\n            Financial Statements, as amended; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses matters involving internal control over financial\n            reporting and its operation that were identified during the audit but were not\n            required to be included in the auditors\xe2\x80\x99 reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Shiela Michel, Manager, Financial Audits, at\n            (202) 927-5407.\n\n            Attachment\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036-3389\n\n\n\n\nNovember 10, 2010\n\n\nInspector General, U.S. Department of the Treasury, and\n  the Board of Directors, Federal Financing Bank:\n\nIn planning and performing our audit of the Federal Financing Bank\xe2\x80\x99s (the Bank) financial statements as of\nand for the year ended September 30, 2010, in accordance with auditing standards generally accepted in the\nUnited States of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management and Budget\n(OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended, we\nconsidered the Bank\xe2\x80\x99s internal control over financial reporting (internal control) as a basis for designing\nour auditing procedures for the purpose of expressing our opinion on the financial statements but not for\nthe purpose of expressing an opinion on the effectiveness of the Bank\xe2\x80\x99s internal control. Accordingly, we\ndo not express an opinion on the effectiveness of the Bank\xe2\x80\x99s internal control.\nDuring our audit we noted certain matters involving internal control and other operational matters that are\npresented for your consideration. These comments and recommendations, all of which have been discussed\nwith the appropriate members of management, are intended to improve internal control or result in other\noperating efficiencies and are summarized in Exhibit I. We also provide in Exhibit II the status of the\ncomment and recommendations included in our letter arising from the fiscal year 2009 audit.\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements,\nand, therefore, may not bring to light all weaknesses in policies or procedures that may exist. We aim,\nhowever, to use our knowledge of the Bank gained during our work to make comments and suggestions\nthat we hope will be useful to you.\n\nThis communication is intended solely for the information and use of the Bank\xe2\x80\x99s management, the U.S.\nDepartment of the Treasury\xe2\x80\x99s Office of Inspector General, the U.S. Government Accountability Office, the\nOffice of Management and Budget, and the U.S. Congress, and is not intended to be, and should not be,\nused by anyone other than these specified parties.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0c                                                                                             Exhibit I\n\n                                  Federal Financing Bank\n                               Comments and Recommendations\n                                       September 30, 2010\n\n\n\n1.   Unsuccessful Login Attempts\n\n     The Bank\xe2\x80\x99s financial system does not lock user accounts after three unsuccessful user logon\n     attempts in a            period, as required by the U.S. Department of the Treasury\xe2\x80\x99s (Treasury)\n     Departmental Offices (DO) 910, Information Technology Security Policy Handbook. If user\n     accounts are not locked after a set number of failed logon attempts, unauthorized users may make\n     repeated logon attempts to potentially gain unauthorized access.\n\n     Recommendation\n\n     We recommend that the Bank modify the financial system security configuration to lock user\n     accounts in accordance with Treasury information technology policy after three failed logon\n     attempts.\n\n     Management\xe2\x80\x99s Response\n\n     Management concurs with the finding and recommendation. Management indicated that they will\n     configure the financial system to temporarily lock out users after failed logon attempts in fiscal\n     year 2011. An email notification of the lock out will be automatically provided to appropriate\n     Bank personnel. We did not audit management\xe2\x80\x99s response, and, accordingly, we express no\n     opinion on it.\n\n\n\n\n                                                 2\n\x0c                                                                                             Exhibit I\n\n\n\n2.   Password Policy\n\n     The Bank\xe2\x80\x99s financial system was not properly configured to check password expirations and\n     force users to change passwords every             in accordance with the Bank\xe2\x80\x99s password policy.\n     During our testing, we noted that two of the thirty users tested had not changed their password in\n     over          . Improper password configuration increases the risk for an unauthorized user to\n     gain access to the system, which could compromise data integrity.\n\n     Recommendation\n\n     We recommend that Bank management conduct either manual or automated monthly reviews of\n     user accounts and disable user accounts that have not changed their passwords within sixty days.\n\n     Management\xe2\x80\x99s Response\n\n     Management concurs with the finding and recommendation. Management indicated that they will\n     implement a process to monitor the changing of passwords in fiscal year 2011. We did not audit\n     management\xe2\x80\x99s response, and, accordingly, we express no opinion on it.\n\n\n\n\n                                                 3\n\x0c                                                                                          Exhibit II\n\n                                        Federal Financing Bank\n                                     Status of Prior Year Comment\n                                          September 30, 2010\n\n\n\n              Prior Year Comment                                    Current Year Status\n\n1. Interest Credits on the Cushion of Credit          This comment has been corrected.\n   Accounts\n\n\n\n\n                                                  4\n\x0c'